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Information security are becoming an important aspect of organizations. 
Organisations also are progressively conscious of its important in their 
business strategy. The awareness make organisations are currently applying 
for information security management system (ISMS) to effectively manage 
their information assets. Therefore, this research aims to provide an 
Information Structure Framework for ISMS planning and certification. Then 
Likert structured questionnaire was distributed and the findings have been 
analyzed using Rasch Measurement Model (RMM). The results from this 
study, managed to develop Information Structure Framework for ISMS. The 
proposed framework consists of information structure focuses on providing 
the information outline which is structured in a way, in which the 
components are put together to form a meaningful structure which can be 
navigated at any time. The framework contributes to the field of ISMS and 
certification area. The framework provides an awareness on knowing 


beforehand what to do and to what extent they are already conquering the 
information needed for getting clear direction and to develop ISMS. 
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1. INTRODUCTION 

In the current information age, the issue of information security has become a vital entity. 
This acceptance has been due to the fact that most of the organisations have extensively replaced the 
physical forms of data to electronic forms of data as it has the capacity to speed up any information-based 
activities [1]. Hence organisations are becoming gradually aware that information security is a significant 
aspect of their business strategy. 

Undoubtedly, these concerns created an awareness for organisations to achieve an ideal level of 
information security by applying Information Security Management System (ISMS) for establishing, 
implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information 
security to achieve business objectives [2]-[4]. ISMS can be defined as a management system used for 
establishing and maintaining a secure information environment [5]. 

Basically, ISMS will make sure that the correct people, technologies and processes are in place, 
and facilitates a proactive approach to manage security and risk [6]—-[8]. However, the field of information 
security has to change from just technical issues or a technology point of view, into a completely different 
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point of view, where wider concern is given on management issues in which emphasis is given on procedures 
and processes involved for the development of secure information management system. 

The existing of lacking in the research has been carry out to hightlight the need of accurately 
defined steps of procedures and processes in which a structured way of handling ISMS for organization is 
provided. It is found that all the ISMS methods only differ from each other in terms of details of the analytic 
process, as well as the information they prescribe [9]. Hence, it will be helpful if organisations have a 
comprehensive picture of ISMS which giving a holistic view on beforehand on whatever information they 
looked-for earlier starting of the ISMS planning. 

In the current information security world, majority of organisations adopt the well-known “Plan-Do- 
Check-Act” (PDCA) lifecycle model to implement ISMS in their workplace. The PDCA approach 
emphasizes on the controls required in information security and only limited information is given regarding 
with the security objectives and potential strategies to be implemented on these objectives [10], [11]. 
Therefore, the model is unable to give information on any suggestion on how organisations must develop 
security strategies and objectives [10], [11]. In addition, since the main reason for developing the PDCA 
model was to cater to the needs of a methodical methodology when optimizing automated manufacturing 
processes in the 1950s. PDCA is not very suitable to describe well the most important activities in the ISMS 
procedures and process [12]. 

Even though currently there are various of ISMS methods and approaches are available, many 
organizations are facing the difficulty to determine the most suitable methodology according to their exact 
requirements [13]. On the contrary, the lacking of having one ideal ISMS method that would be appropriate 
for all organizations has made the condition even more awkward for end-users [14]. Furthermore, 
the currently available ISMS methodologies do not outline comprehensive steps of risk assessment and 
management. 

The information structure framework for ISMS was developed by deploying a questionnaire using 
Likert scale questions administrated to a group of information security practitioners in Malaysia (N=150). 
The analysis was conducted using Rasch Measurement Model (RMM) analysis technique.The results from 
this study, managed to develop Information Structure Framework for ISMS planning and certification which 
consists of information structure focuses on providing layout of information which is organized in a way, in 
which the components are put together to form a meaningful structure which can be navigated at any time. 

This paper seeks to contribute by giving holistic view for practitioners to collect all the needed 
information and fulfil the requirements for ISMS based on information structure before starting with their 
actual ISMS implementation. This study contributes to the field of information security management system, 
particularly in the ISMS certification by providing a process approach framework which lists all the 
necessary components for guiding practitioners to choose preferred ISMS methodologies or to achieve ISMS 
certification procedure. The proposed framework provides proper guidelines which can be used by the 
practitioners to perform ISMS planning development and certification. 

This paper is organized into several sections. Section 2 explaining related work for this study. 
Section 3 explains the research method used followed by the results and discussion. Last but not least, 
Section 5 concludes the paper. 


2. RESEARCH METHOD 

The research objective is achieved for this study is achieved by structuring the instrument of the 
study, namely, likert scale questionnaire. This survey was developed and completed by following the four 
steps as suggested by Czaja and Blair (2005). The steps are a) questionnaire development, b) pilot test, 
c) survey distribution, d) data analysis and results. 


2.1. Instrument Creation 

The questionnaire consists of two sections. The survey is written in English and contains the 
following parts- Section 1: Information Structure for ISMS and Section 2: Demographic Profile. Questions in 
Section | are divided into three (3) subsections which are known as (a) management requirements, 
(b) establishment and assessment and (c) risk management improvement. The Likert scales which have been 
used for Section 1 is frequency scale, which are: Unimportant (0), Slightly Important (1), Moderately 
Important (2), Important (3). 


2.2. Data Collection 

This study used cluster sampling. The respondents for this study were collected from authorized 
websites of (a) SIRIM QAS, (b) CyberSecurity Malaysia. A total of one hundred and fifty (150) samples 
were finalized as participants in this study. The total population size in the year 2016 was 233 based on the 





Information Structure Framework for ISMS Planning and Certification... (Palaniappan Shamala) 


636 im) ISSN: 2502-4752 


report of ISO survey 2016. Based on the recommended sample size, population size is 148 [15]. 
However, 201 questionnaires were distributed, but only 160 sets were returned, of which 150 responses were 
useful for analysis. This response received represents 75 percent of the proposed sample size. 


2.3. Data Analysis Using Rasch Measurement Model (RMM) 

In this phase, data analysis was conducted using Rasch Measurement Model (RMM) to determine 
the components of information structure which are supported and accepted through data analysis. RMM is 
extensively applied in education to calibrate and evaluate items in tests, questionnaires, and other instruments 
and to score subjects on their abilities, attitudes, or other latent traits [16].RMM states measures should be 
unidimensional, in order to determine if items relate to one underlying concept [17], [18]. This lets the 
researcher to select items for a measurement tool that reflect different levels of ability [18]. RMM will be a 
suitable analysis technique because it measures undimensionality and will create item hierarchies. 

Therefore, by using RMM analysis, the researcher can provide indicators of how well each 
component fits within the underlying construct in the information structure. The RMM analysis uses 
Winsteps software in order to do the following test- a) model fit (dimensionality), b) item fit and c) illustrates 
the construct hierarchy by way of item maps. 


3. RESULTS AND DISCUSSION 

Determining the components of ISMS information structure is important to serve as a basic directive 
guidance to the information security practitioners to identify and gather information and define the steps 
needed in every phase of the ISMS. Hence, RMM is used to determine whether items which match with the 
theoretical concept, can be included in developing framework.The final analysis results inspire in generating 
an information structure for ISMS (Appendix A). 


3.1. Reliability of Real Survey 

In order to confirm the questionnaire survey is reliable to be used for big size sample, the reliability 
value were determined as in Table 1. Item reliability value for this survey (.99) shows that item reliability for 
the instrument is excellent to be used as instrument for this research. Moreover, the value of person reliability 
is also excellent (.95). 


Table 1. Reliability of Real Study 








eee Reliability 
Questionnaire Survey Real Model 
ae F Person 0.95 0.95 
Section 1: Information Structure Tem 0.99 0.99 





3.2. Construct Validity (Personal Component Analysis (PCA) 

Personal component analysis will determine the construct validity for real survey and large sample. 
In order to make sure that all the items fit the unidimensional construct, PCA of residuals were run. In total 
44.7% of the Rasch dimension was explained and the unexplained variance was 5.2%. The evidence for the 
presence of unidimensional construct is shown in Table 2. 


Table 2. Personal Components Analysis (Information Structure) 
Personal Components Analysis (Information Structure) 


-- Empirical -- Modeled 

Total raw variance in observations = 135.7 100.0% 100. 0% 

Raw variance explained by measures = 60.7 44.7% 44.3% 

Raw variance explained by persons = 27.3 20.1% 20. 0% 

Raw Variance explained by items = 33.4 24.6% 24.4% 

Raw unexplained variance (total) = 75.0 55.3% 100.0% 55.7% 
Unexp]ned variance in 1st contrast = 7.0 5.2% 9.4% 
UnexpIned variance in 2nd contrast = 5.8 4.3% 7.8% 
UnexpIned variance in 3rd contrast = 4.6 3.4% 6.2% 
UnexpIned variance in 4th contrast = 4.4 3.3% 5.9% 
UnexpIned variance in 5th contrast = 3.8 2.8% 5.1% 
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3.3. Item Hierarchy on Information Structure For ISMS 

The components of information structure as required by practitioners to conduct ISMS, as the 
components in the framework will guide the process of conducting ISMS in a more methodical manner if the 
practitioners identified beforehand the required information they looked-for earlier the beginning of the 
ISMS strategy. Results from the item map were conveyed into a logit result table as in Table 3. Table 3 
presents the level of respondents’ expectation and requirement measured in logit by Rasch model. The Likert 
scale was converted into a four point scale. 


Table 3. Score Category of Logit for Components of Information Structure for ISMS 








Logit Interpretation 
-1.90 — 1.15 Important 
1.16-4.21 Moderately Important 
4.22 -7.27 Slightly Important 
7.28 — 10.33 Unimportant 





Results from Table 4 determined the components that were significant to be included in the 
information structure which are agreed by information security practitioners. ISMS can be divided into three 
phases, as management requirement, establishment and assessment, threats and vulnerability, and risk 
management improvement. There are 75 items (components) altogether for the three phases. Out of 75 items, 
only 73 items were agreed upon and accepted by information security practitioners. 

In this research, items ranked from logit 4.22 and below were accepted as components for 
information security management system. Based on the results, 73 items are considered as easiest endorsed 
items and regarded as important in the hierarchy by information security practitioners. As all the accepted 
items fell below logit 4.22, they are accepted to be components in ISMS’s information structure. 
Unfortunately, only two items fell in the hierarchy as unimportant, and hence, rejected. 


3.4. Item Measure Quality for Information Structure 

Table 4 shows the item measure quality value for components of ISMS information structure. 
The results indicate that all items values were in the range between 0.5 between 1.5 for MnSq and value for 
Zstd value +2.0 was also fulfilled, except two items (highlighted in yellow) had over misfit the framework 
expectation and were considered to be removed from the framework. Therefore, only the fulfilled items were 
considered to be added as components in the ISMS information structure. 


Table 4. Analysis Results of RMM for Components of Information Structure for ISMS 


COMPONENTS OF INFORMATION STRUCTURE FOR ISMS 


MANAGEMENT REQUIREMENTS 


Criteria for Hiring/Promoting Information Security Practitioners aS OUTFIT Logit 
MaSq Zstd 
Skil and abilities when hiring or promoting information security 02 2 101 
staff 


0.9 | 1.22 | 10 | -0.20 

i | 0.90 | -1.1 | 0.74 | -13 | -0.04 

Professional certification when hiring information security staff | 091 | -1.0 | 093 | -03 | -0.04 

Professional designations when hiring information security staff 0.94 | -07 | 088 | -05 | -0.01 
Types of Risks Assessment Documents INFIT OUTFIT 

nSq | Zstd | MnSq | Zstd 

[Documentation of business Aipenen de -1.2 | -0.08 
12 | -0. 


[Documentationof TIS —(‘“‘s;sS*S*‘*r TS 
ett ot imagem Commitee Top Winagearar 1 Security Management Committee: Top Management ‘OUTFIT 

al Za | Na | Zstd 

Chief Executive Officer (CEO): responsible for all day-to-day 087 | 05 

management decisions and for implementing the organization’s long 


Chief Operating Officer (COO): responsible for the daily operation 18 | 1.09 | 05 


of the organization. 
Chief Technology Officer (CTO): focused on scientific and] 0.99 | -0.1 | O85 | -0.7 | -0.04 | Important 
technological issues within an organization. 
Chief Information Officer (CIO): responsible for the information| 0.94 | -0.7 | 083 | -0.8 | -0.04 | Important 
technology and computer systems that support organizational goals. 
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Information Security Management Committee: Information 
Security Professionals eee 
Chief Information Security Officer (CISO): Define information nae aie 0.7 | -0.01 
security strategic direction. develop and maintain policies and 
establish toles and responsibility for information security within the 
organization. 
Information Security Operations: Perform information peracid i lel 


performing daily operations. 


Information Security Audits: sian Wl 
against security policies, standards. legal and regulatory 
Tequirements. 

Information Security Compliance: Monitor compliance by the staff 
to the information security policies, standards and procedures. 


Top Management Involvement and Support 

















| MnSq | Pasa 2 Wasa 2 Pe] 
Top management attends information security meetings. 
Top management involves in information security decisions. t u = ie 33 31 
ap enemy are eaves ie eee ir activities. 1.07 | 07 1.20 0.8 Hor a 


Top management ane information security an important Bccalleasal 


information security issues. 











Establish Organizational Context OUTFIT Logit 
MnSq | Zstd 

Organizational objectives/goals Poss [ro Po [a9 [56 a 
Organizational scope and boundaries 090 09 | 074 -1.1 | -125 

Scope and boundary of the security review Poss {aross_{as- 1a taper 
ane ert 
Information related to the Ss function 0.86 0.72 -14 | -044 Important 
Person who use/support the IT system Loe [ts | 0 | 1s | O25 | impora | 





Tee a ot aigeetee eee antes Poe a a a eee 
Schedules and deliverables aera 03 0. 3 0.43 mpo 


Information Gathering Techniques Site 
= fiat iia 07 a 


























Pass [aa a oJ 
Presentation and discussion Poste port |20r | impor 
Romerinss nae SR oe eo 
[Minsq | Z30 | 
Information Assets 0.81 -15 -1.79 
Dat Ansci en PoE ie eee 
Physical Assets Pio Por fz 06 {0.52 [important mp 








Staff with experience and expertise are the organization’s important 
process ee Tesource and valuably needed to make 


Experts” ae which is 5 codified or articulated in publications. 
on RT audio-visual materials. flowcharts, scripts. 





Digital media (example: desktop PCs, notebook computer, personal 
digital assistants (PDAs) 

Cognitive media (Exists in the mind of a personnel) 

Non-Technical Assets: Informal & Unofficial Information is leaked 











MnSq | Zstd | MnSq | Zstd 
1i7 | 17 | 102 | 02 


istribution’ = ithin. | 0. 1] 098 | 00 
‘ganiza' 
Access & Use: Activities such as printing, photocopying. capturing. g i 1.08 04 
scanning. : typing. writing, reading. hearing and 
peakin: cing/ sin o/conve 
el al el cai liad ce 


RISK MANAGEMENT IMPROVEMENT 


Information Security Training for Information Security Staff | INFIT | OUTFIT | 
pa 
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4. CONCLUSION 

The main contribution of this study is the information structure framework for ISMS. The existing 
ISMS process approach and certification model which is popularly used by organisations to structure all their 
ISMS processes is PDCA model. The PDCA model uses Deming's theory to form the basis for total quality 
management and ISO 9001 quality standards. The PDCA model’s limitation is that the model is unable to 
give information on any suggestions on how organisations should develop security objectives and strategies. 
However, the information structure framework lists out all the components involved in the ISMS process. 
Practitioners only need to follow the layout information flow together with the quality elements to achieve 
the ISMS development. 

Each of the iinformation security department in the organization have responsibility to do the 
strategic planning. The department required to comprehensivly prepare all the compulsory planning before 
beginning to do their actual security management. Therefore, by having the proposed information structure 
framework, the process of gathering required information in order to conduct the ISMS will be more 
methodical and convincing if the organisations able to recognize beforehand all the required information they 
wanted earlier the commencement of the plan. It is believed to guides the practitioners step by steps with the 
general view of flow, types of information to be gathered and the requirements to be met before ISMS is 
conducted. Practitioners do planning by deciding in advance what to do, how to do it, when to do it and who 
to do it, which lead to achieving a clear direction to reach ISMS goals and objectives. 

The benefit of the framework is offered to information security practitioners, regardless of whether 
practitioners are newly approaching to apply ISMS or those that have been long in this field. This study 
contributes to the field of information security management system, particularly in the ISMS certification by 
providing a process approach framework which lists all the necessary components for guiding practitioners to 
choose preferred ISMS methodologies or to achieve ISMS certification procedure. The proposed framework 
provides proper guidelines which can be used by the practitioners to perform ISMS planning development 
and certification. 
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